Add cache-write input for read-only cache mode

[salmanmkc]

When cache: true is set, this action restores and saves the NuGet global-packages cache. For PR workflows there's no way to do restore-only — a malicious PR can write to the cache and have it affect later trusted runs.

This adds a cache-write input (defaults to true, backward compatible). When false, the post-step save is skipped.

Usage:

- uses: actions/setup-dotnet@v5
  with:
    dotnet-version: 8.x
    cache: true
    cache-write: ${{ github.event_name != 'pull_request' }}

What changed:

• action.yml — new cache-write input
• src/cache-save.ts — early return when cache-write is false
• dist/ — rebuilt

Same change going into setup-node, setup-python, setup-go, setup-java.

[Copilot]

Pull request overview

Adds a new cache-write input to support a “read-only cache” mode, preventing untrusted workflows (e.g., PRs) from saving back to the NuGet cache while still allowing cache restore.

Changes:

• Introduces cache-write input in action.yml (default true for backward compatibility).
• Skips the post-step cache save when cache-write is disabled.
• Rebuilds generated dist/ output to include the new behavior.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 3 comments.

File	Description
action.yml	Adds the cache-write input to configure whether the post-step saves the cache.
src/cache-save.ts	Adds an early return to skip cache saving when cache-write is disabled.
dist/cache-save/index.js	Compiled output reflecting the cache-write gating logic.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

cache-write is defined as a boolean input (action.yml default: true), but the code reads it with core.getInput() and compares to the exact string 'false'. This is brittle (e.g., False/FALSE/whitespace won’t be treated as false) and could unintentionally enable cache writes. Prefer core.getBooleanInput('cache-write') and negate it for the early-return check.

Suggested change

	const cacheWriteEnabled = core.getInput('cache-write');
	if (cacheWriteEnabled === 'false') {
	const cacheWriteEnabled = core.getBooleanInput('cache-write');
	if (!cacheWriteEnabled) {

[Copilot]

New behavior (skipping the post-step cache save when cache-write is false) isn’t covered by tests. There are existing unit tests for cache-save; please add a case that sets cache: true and cache-write: false and asserts no save attempt is made (e.g., no getState/saveCache calls).

[Copilot]

The cache-write early-return runs before checking whether cache is enabled. If a workflow sets cache-write: false but cache: false, this will still emit a “Skipping cache save” message even though no save would happen anyway. Consider checking cache first (or only logging when caching is enabled) to avoid confusing logs.

Suggested change

	const cacheWriteEnabled = core.getInput('cache-write');
	if (cacheWriteEnabled === 'false') {
	core.info('Cache write is disabled (read-only mode). Skipping cache save.');
	return;
	}
	if (core.getBooleanInput('cache')) {
	await cachePackages();
	}
	const cacheEnabled = core.getBooleanInput('cache');
	if (!cacheEnabled) {
	return;
	}
	const cacheWriteEnabled = core.getInput('cache-write');
	if (cacheWriteEnabled === 'false') {
	core.info('Cache write is disabled (read-only mode). Skipping cache save.');
	return;
	}
	await cachePackages();

[Frulfump]

Copilot left some potentially good comments. (Some required checks are also failing, unclear if it's due to this PR or just flaky CI.)

This seems like something where it would be good to make it a required setting in an upcoming major version change due to the security concern. But taking the change with the same behavior as before means it can bake for a while and give people a chance to test it out first.